Poland: UODO fines ClickQuickNow PLN 201,000 for GDPR violations
The Polish data protection authority ('UODO') issued, on 6 November 2019, a decision ('the Decision') in which it imposed a fine of PLN 201,000 (approx. €47,120) against ClickQuickNow Sp. z o. o. for not implementing appropriate technical and organisational measures, following an individual's complaint regarding their request to withdraw consent to the processing of their personal data and to exercise their right to be forgotten. In particular, UODO outlined that ClickQuickNow required users to provide reasons for requests to withdraw their consent, in violation of Article 7(3) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which stipulates that withdrawing consent shall be as easy as giving consent.
Furthermore, UODO noted that ClickQuickNow had processed a number of individuals' personal data without a legal basis and as it had not responded to data subjects' request to cease processing, ClickQuickNow had violated the right to be forgotten (Article 17(1)(b) of the GDPR). Finally, the UODO highlighted that it had not taken any mitigating circumstances into account when determining the amount of the fine, emphasising that ClickQuickNow's operations were intentional, and ordered the company to adopt the provisions of the GDPR and delete personal data of individuals who are not its clients within 14 days from the issuing of the Decision.
UPDATE (8 November 2019)
EDPB announces UODO fine for GDPR violations
The European Data Protection Board ('EDPB') announced, on 6 November 2019, that UODO had issued a fine to ClickQuickNow for obstructing the right to withdraw consent to the processing of personal data. In particular, the EDPB outlined that ClickQuickNow did not implement appropriate technical and organisational measures that enable easy and effective consent withdrawal to the processing of personal data, and the exercise of the right to obtain the erasure of personal data. Therefore, ClickQuickNow had violated the principles of lawfulness, fairness, and transparency of personal data processing, specified in the GDPR.
In addition, the EDPB highlighted that UODO, when determining the amount of the administrative fine, had not taken into account any mitigating circumstances affecting the final penalty, and it had also decided that ClickQuickNow's action was intentional by providing contradictory communications to the data subject interested in withdrawing consent, which resulted in ineffective withdrawal of consent, making it difficult, or even impossible to exercise data subject rights.
You can read the press release here.